- USDT(TRC-20)
- $0.0
Two-factor authentication (2FA) is a fantastic security measure, but not all 2FA is created equal. SMS-based 2FA is by far the least secure authentication option, and yet, far too many companies use this method as default. Hackers know this, which is why they target users' 2FA codes to commit fraud and steal access to Google accounts. All that said, any 2FA is better than no 2FA, so it's worth tolerating SMS-based authentication if it's the only 2FA option offered.
Now, however, the winds are changing: Google is the latest company looking to switch from SMS codes to an alternative method. As reported by Forbes, the company is planning to shift from SMS codes to QR codes. This is a good thing, even if it changes how you sign into your Google Account.
It's surprisingly easy to get hold of an SMS code. If someone steals your smartphone, for example, they'll be able to access all of the SMS codes it receives. But scammers don't need physical access to intercept your SMS codes. In fact, they can do this while sitting in another part of the globe.
Scammers can trick carriers into taking over your phone's SIM card. From here, they can disable your SIM card, and transfer all the services over to their own, so they can remotely access all SMS codes sent to your number. If your bank account is protected by SMS-based 2FA, for instance, they'll receive the code on their own device, authenticate themselves, and break into your account. Some scammers are even engaging in a practice know as traffic pumping, where they fool organizations into sending a large number of SMS messages to numbers the scammers own. They make a profit from those messages, while the rest of us deal with a deluge of spam. By moving away from SMS-based 2FA, Google hopes to limit this scam.
Instead of relying on SMS-based authentication, I've recommended using a dedicated authenticator app, or the password-less Passkeys system that Google itself is pushing quite a bit. When using an authenticator app, the code generates every 30 seconds on a secure service that is controlled by you, not by carriers. Authenticator apps themselves require biometric authentication, and can be password protected as well, which adds an extra layer of security. You can use a physical key for maximum authentication security, but a properly setup authenticator app will be plenty secure.
If you're game to ditch passwords altogether, passkeys are even more secure. Passkeys are cryptographically generated keys for each login, and they are unique to the device or passwords app. A passkey generated for Google, on your Mac, never leaves the device. Even if someone gets their hands on the key file, it can't be hacked as it's encrypted.
Passkeys are the future, but in the meantime, Google is shifting to QR codes as the default verification method for phone numbers.
When users log in on a new device, they'll be prompted with a QR code that they can scan using their smartphone to authenticate. Using a QR code for verification stops phishing attacks, as there's no code to share. And because the QR code scanning is happening in person, between two devices in proximity, there are no carrier codes involved, or online servers.
There's no timeline for this yet, as all that Google has said is to "look for more from us on this in the near future." As the feature rolls out, I'll detail those steps here.
Full story here:
Now, however, the winds are changing: Google is the latest company looking to switch from SMS codes to an alternative method. As reported by Forbes, the company is planning to shift from SMS codes to QR codes. This is a good thing, even if it changes how you sign into your Google Account.
SMS 2FA isn't secure enough
It's surprisingly easy to get hold of an SMS code. If someone steals your smartphone, for example, they'll be able to access all of the SMS codes it receives. But scammers don't need physical access to intercept your SMS codes. In fact, they can do this while sitting in another part of the globe.
Scammers can trick carriers into taking over your phone's SIM card. From here, they can disable your SIM card, and transfer all the services over to their own, so they can remotely access all SMS codes sent to your number. If your bank account is protected by SMS-based 2FA, for instance, they'll receive the code on their own device, authenticate themselves, and break into your account. Some scammers are even engaging in a practice know as traffic pumping, where they fool organizations into sending a large number of SMS messages to numbers the scammers own. They make a profit from those messages, while the rest of us deal with a deluge of spam. By moving away from SMS-based 2FA, Google hopes to limit this scam.
Instead of relying on SMS-based authentication, I've recommended using a dedicated authenticator app, or the password-less Passkeys system that Google itself is pushing quite a bit. When using an authenticator app, the code generates every 30 seconds on a secure service that is controlled by you, not by carriers. Authenticator apps themselves require biometric authentication, and can be password protected as well, which adds an extra layer of security. You can use a physical key for maximum authentication security, but a properly setup authenticator app will be plenty secure.
If you're game to ditch passwords altogether, passkeys are even more secure. Passkeys are cryptographically generated keys for each login, and they are unique to the device or passwords app. A passkey generated for Google, on your Mac, never leaves the device. Even if someone gets their hands on the key file, it can't be hacked as it's encrypted.
Google is shifting default 2FA to QR codes
Passkeys are the future, but in the meantime, Google is shifting to QR codes as the default verification method for phone numbers.
When users log in on a new device, they'll be prompted with a QR code that they can scan using their smartphone to authenticate. Using a QR code for verification stops phishing attacks, as there's no code to share. And because the QR code scanning is happening in person, between two devices in proximity, there are no carrier codes involved, or online servers.
There's no timeline for this yet, as all that Google has said is to "look for more from us on this in the near future." As the feature rolls out, I'll detail those steps here.
Full story here:
![[DK]](/data/avatars/s/57/57999.jpg?1720990206){kind=avatar}
